Account Lifecycle Management
Overviewβ
Account Lifecycle Management (ALM) in Apporetum provides your organisation with the tools to manage user accounts from initial provisioning through to the end of an identity's lifespan. This section covers the key features that make up Apporetum's ALM capabilities, including the state model, run history, provisioning flow, and mail templates.
By implementing ALM, your organisation ensures that all accounts are created, used, modified, and retired in accordance with your identity governance policies. This goes beyond simple account creation and deletion β it manages the complete journey a user may experience within your organisation, including pre-boarding entitlements, on-boarding, role changes, entitlement changes, and account dormancy.
What is Account Lifecycle Management?β
Account lifecycle management is the process of managing user accounts across every stage of an identity's time within your organisation. Apporetum provides core capabilities to manage each of these stages and the rules and triggers that govern them, ensuring that access is always aligned with organisational policy.
Managing account lifecycles can be a time-consuming process without the right tooling. Apporetum enables you to automate account lifecycle transitions by defining business rules and event triggers that automatically move accounts between states and execute predefined actions, eliminating the need for manual oversight.
Apporetum also supports automatic user provisioning and deprovisioning, syncing directly from your organisation's HR system into Microsoft Entra ID. This ensures that when employees join, change roles, or leave the organisation, their identities are updated accordingly without manual intervention. The pre-boarding capability allows your organisation to configure required access packages and entitlements before a user's start date, ensuring they have the right access from day one.
What is the State Model?β
A state model in Apporetum defines the complete lifecycle journey of user accounts within your organisation. It maps out the possible states an account can hold and the rules governing transitions between those states. At its core, the state model consists of four key components:
- States β such as Pre-boarding, Active, On Leave, Dormancy, and Termination.
- Transitions β the pathways between states.
- Triggers β the rules or conditions that must be satisfied to initiate a transition.
- Actions β the automated tasks performed when a transition occurs, such as provisioning access packages or sending email notifications.
Your organisation can configure multiple flows within a single state model to reflect different types of users and their own lifecycle journeys. The state model becomes a visual and executable representation of your organisation's identity policies, converting complex business rules into an automated system.
Draft state models can be modified without affecting production data, and simulations can be run to validate behaviour before publishing. Published state models represent the active configuration governing your identity landscape and can be scheduled to run automatically.
For information on how to configure a state model, see Configuring the State Model.
What is Run History?β
Apporetum's run history feature provides a complete audit trail of all state model executions. It shows when transitions occurred, what triggered them, and what actions were performed. This visibility allows your organisation to monitor account lifecycle changes, investigate anomalies, and verify that access controls are functioning as intended.
The detailed execution records also serve as evidence for audits and compliance certifications, demonstrating that your identity governance processes are operating according to policy.
For information on how to view and interpret run history, see Model Run and Run History.
What is Provisioning Flow?β
Provisioning flow is a configured path that determines how identity data from your organisation's workforce sources is processed and transformed into user accounts in your identity ecosystem. Provisioning automation reduces manual effort and errors, and ensures that accounts in your directory remain synchronised with your workforce data.
The provisioning flow integrates with Microsoft Entra ID through Microsoft's provisioning agent, which acts as the execution layer for Apporetum. The agent securely transmits and applies calculated identity lifecycle operations to Microsoft Entra ID in accordance with configured permissions and mappings.
Key components of the provisioning flow include:
- Workforce Feed Integration β connects to HR system data sources, including CSV files or direct integrations, containing employee information.
- Person-to-Identity Mapping β defines transformation rules that convert HR data fields into identity attributes using customisable logic.
- Account Type Assignment β determines what type of account should be created based on employee attributes.
- Automated Provisioning β triggers automatic creation of user accounts in Entra ID based on the configured rules.
For configuration guidance, refer to Configure Provisioning Flow in the Install documentation.
What is a Mail Template?β
Mail templates allow your organisation to create and manage the email notifications that are sent when an account transition includes a Send Email Notification action. You can create or edit templates and configure the timing and trigger conditions for each notification.
For configuration guidance, refer to Configure Email Notifications in the Learn documentation.